I want to access local server by accessing WAN_IP:22299. When I try to do that using putty I get "Connection timed out".
I can access local server using putty from inside LAN. I also can see the attempts in the router log.

Thank you for the reply. I've just tried that - it doesn't help.
I wonder, what else could it be? It must be something with iptables since I can connect to the target server from other LAN computer but not from the outside.

Quote:

Originally Posted by Mopar93

Try this iptables command, but change the 1.2.3.4 to the actual IP that is used on the public internet side:

What I posted will work as long as you put the correct IP where I put 1.2.3.4 at. Some modems do not have a router built in and some do. That means that the ethernet interface in your firewall machine that is on the wan side is either going to carry the same IP address that is used on the internet or it will have its own local ip which should be a different local network than your internal network. For instance you use the 10.1.1.0/24 network on the inside. Therefore the wan side interface is either going to use the public internet IP address or it's going to use a different network such as 10.0.0.0/24.

Whatever IP is used on that particular wan side interface is what should go where I put 1.2.3.4. Use the "ifconfig" command to see what IP is assigned to it.

Also, Lazydog included a suggestion that you should use: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Be sure to check out his other suggestion to have forwarding turned on.

Do you have more than one public IP and are using multiple virtual interfaces on the wan side of your firewall? If so, there is another setting you need to make. Let me know and I'll add more.

-Maurice

04-09-2012

vytas

Thank's for your help.

Quote:

Originally Posted by Lazydog

Stupid question but is FORWARDing turned on?

Yes, forwarding is turned on since I am configured several PREROUTING rules to reach several machines inside LAN via remote desktop from the internet.
Regarding default DROP policy for FORWARD chain. LAN computers can't browse internet when I do this. I need to add more rules probably but I will deal with that later :)

Quote:

Originally Posted by Lazydog

-A POSTROUTING -o <WAN-INT> -j MASQURADE

I tried that. Doesn't help. I suppose I should use:
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
instead of MASQUARADE since my WAN IP is static, not dynamic. Or should I use MASQUARADE anyway?

Quote:

Originally Posted by Mopar93

Whatever IP is used on that particular wan side interface is what should go where I put 1.2.3.4. Use the "ifconfig" command to see what IP is assigned to it.

Yes, I know my WAN IP and I'm using it correctly as you told.

Quote:

Originally Posted by Mopar93

Also, Lazydog included a suggestion that you should use: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This is included in my rules.

Quote:

Originally Posted by Mopar93

Do you have more than one public IP and are using multiple virtual interfaces on the wan side of your firewall? If so, there is another setting you need to make. Let me know and I'll add more.

No, no multiple interfaces on WAN side.

So according to your suggestion I paste my iptables rules script. Could you please take a look and tell me what else should I try. Also I don't understand one thing. I cannot ping from firewall machine to the lan server I want to reach through SSH although I can ping all the other servers. And from any computer inside LAN I can ping the server that I want to ssh. The firewall of target server is turned off. Maybe the problem lies not in iptables?..

I always use MASQUERADE as it is easier to do then playing with the SNAT.

04-10-2012

vytas

Quote:

Originally Posted by Lazydog

Try these rules

I added your rules (except the ones related to forwarding) with no luck. I still can't connect to local server through SSH from the internet. Pity I cannot test and play with it thoroughly since it's production environment and I add rules mostly remotely :) I'm curious what I do wrong. As I understand there is no need to add FORWARD rules if FORWARD policy is set to ACCEPT. And there are very few examples of SSH forwarding on the net that I found.
If you have any other ideas, please let me know.

04-10-2012

Mopar93

It's starting to sound like you might have a routing problem from the firewall machine to the machine you want to SSH to. If you can't ping it, you won't be able to solve your SSH problem either.

I looked at your first message again and see that you have two internal networks, 192.x and 10.x. Does this mean that you have 3 interfaces in the firewall machine, one for the WAN and two for the two LAN networks?

-Maurice

04-10-2012

vytas

Quote:

Originally Posted by Mopar93

Does this mean that you have 3 interfaces in the firewall machine, one for the WAN and two for the two LAN networks?

No, there is only 1 LAN interface, but virtual interfaces are used to create separate LANS. I attach my ifconfig: